A USB drive tainted with "crimeware" infected a turbine-control system at a U.S. power plant in early October and delayed its restart by three weeks, according to the Homeland Security Department.

At another plant, government computer experts discovered "common and sophisticated malware" on several workstations, including two that were critical to the plant's operation. There was no mention of whether the infection might have come from individuals or other governments.

The quarterly report indicated that the power plant's antivirus and security precautions were not up to date.

In the second incident — CERT does not say when — an employee asked IT staff to inspect a USB drive he used to back up control systems. Up-to-date antivirus "produced three positive hits" for a virus, including one "linked to known sophisticated malware."

The utility then called ICS-CERT, which reported:

ICS-CERT's onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also performed preliminary onsite analysis of those machines and discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment. Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations.

No signs of infection were found on 11 other crucial workstations.

CERT did not say whether the second infection disrupted plant operations.

Last week, Homeland Security urged computer users to disable or uninstall the Java programming language because of a serious security vulnerability that lets hackers install malicious code that can steal personal information.